Layer7 Access Management

Tech Tip - CA Single Sign-On:Policy Server:Does Policy server supports TLSv1.1/TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store

By Ujwol posted 08-23-2016 11:45 PM

  

Introduction:

Customer wants to disable SSL protocol and enable TLSv1.1/ TLSv1.2 for Policy server connection with LDAP Policy store/User Store.

Question:

Does Policy server supports TLSv1.1/ TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store?

Environment:

Policy Server Version : R12.0SP3 and above

Answer:

 

What determines the Policy Server supportability to various SSL/TLS protocols with respect to LDAP connection?

The Policy Server uses a Mozilla LDAP SDK to communicate with LDAP directories (Policy store/User Store etc.)

These libraries are deployed under Policy server bin folder. The main library being Network Security Services Base Library : nss3.dll (windows)/libnssutil3.so (Unix)

So,  support for different security protocol SSL/TLS 1.0/1.1/1.2 etc primarily depends on whether the bundled NSS library support it or not.

Support for TLS v 1.1  (RFC 4346) is available from NSS 3.14

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes

Support for TLS v 1.2 (RFC 5246) is available from NSS 3.15.1

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.1_release_notes

 

Does Policy server supports TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store?

As seen above , this depends on the version of the NSS libraries shipped. Now let’s look at the NSS libraries version shipped with different Policy server version

  • R12.SP3CR12  = NSS 3.3.2.0
  • R12.51CR6 onwards until CR10 = NSS 3.14.3.0
  • R12.52SP1 CR7 onwards = NSS 3.28.1
  • R12.52SP2 until CR1  = NSS 3.14.3.0
  • R12.6 = NSS 3.20

 

Conclusion:

 

  • R12.0SP3CR12 doesn’t have support for TLS protocol. It supports only SSL.
  • R12.51CR6 onwards , we have support for TLS but only upto TLSv1.0 ( due to some internal limitation we don't support TLSv1.1). However, you can request a NIN for this as we have already certified NSS 3.30.2 libraries for this release (CA only refer: DE300577)
  • R12.52SP1 CR7 onwards we have support for both TLS v1.1 & TLS v1.2
  • R12.52SP2 until CR1 doesn't have support for TLSv 1.1 & TLSV v1.2 (Open support ticket if you need a NIN for this release)
  • R12.6 onwards we have support for both TLS v1.1 & TLS v1.2

 

 

 

18 comments
17 views

Comments

06-12-2018 02:53 PM

Ujwol,

 

Thanks for the information. We have 12.52.1.154 version of siteminder; would this support TLS1.1 version. We are seeing issues when connecting to the LDAPS User Store. Here is the nss lib libnssutil3.so shipped with the R12.52 SP1 version of the policy server.

 

Thanks

Pradeep M

03-20-2018 06:41 AM

Informative KB, Thanks!!

03-19-2018 01:51 AM

Good Article - Got to know about NSS libraries.

03-15-2018 10:40 PM

There isn't any configruaiton on PS side to disable TLS1.0.

You will need to disable it on the LDAP.

03-14-2018 11:50 AM

Does adding the TLS 1.1 library disable TLS1? If not, can TLS1 be turned off?

07-12-2017 05:39 PM

Thanks Ujwol !

07-11-2017 03:46 PM

NIN = Need it Now

07-11-2017 03:45 PM

NIN = dev fix. You don't need to upgrade.

If you are not in a position to upgrade please open a support ticket and request fix.


I am hoping that we shall be able to back port fix to 12.52SP2

07-11-2017 12:58 PM

Thanks Ujwol !

 

So, we are just left with an option to upgrade from R12.52 to R12.6 to be compliant with TLS1.2? Do you suggest any other alternative?

 

What does NIN build stands for?

 

Regards,

VK

07-07-2017 06:28 PM

Hi VK, 


I need to check CR2, but if it shipped with 3.14 version then yes theoritically it should support only upto 1.1 but it may have problem to support even that due to some internal PS limitation.


But if you need tls 1.1/1.2 support you can just request for NIN build.


Regards,

Ujwol


07-07-2017 01:51 PM

Hi Ujwol,

 

I reckon R12.52SP2  CR02 is shipped with NSS 3.14.3.0 version. Does it mean only TLSv1.1 supported with this SM Policy server version?

 

09-07-2016 07:58 PM

That is correct. R12.52 SP1 CR01 supports TLS 1.1.

If this isn't working, please open a support ticket as it might need some troubleshooting.

09-07-2016 07:33 PM

HI Chandrashekhar,

 

No as of today (12.52 SP1 CR5, 12.52SP2CR1) , there is no support for TLS 1.2 communication between Policy Server and LDAP.

There is an enhancement request created for this :

Upgrade 12.52 policy server(Solaris 10) to communicate with Active Directory over TLS 1.2 

This will be updated when the support is available.

 

Regards,

Ujwol Shrestha

09-07-2016 02:52 PM

Also you mention in your note above that "we do have support upto TLS 1.1" - does that mean TLS 1.1 supported with R12.52 SP1 CR01? 

 

Questioning, since we are seeing issues connecting to backend with TLS 1.1

 

Thanks,

Chandrashekhar Rane

09-07-2016 02:38 PM

Hi Ujwol,

 

Is TLS 1.2 support now added or is this something plan for feature?

If TLS 1.2 support added, then do we know which version of SiteMinder is support with TLS 1.2

 

Thanks,

Chandrashekhar Rane

08-31-2016 07:43 PM

Hi Jaswanth,

That's right.

08-31-2016 05:45 PM

Ujwol , Thank you for the information . Its helpful .

 

So , Siteminder is not using 3.15.X lib as of now?

08-23-2016 11:51 PM